More on HSIN

Despite its troubled history, the DHS Homeland Security Information Network has demonstrated its capabilities as a platform for event management and disaster response. Read more.

HSIN is the primary platform for sharing sensitive but unclassified information among the Homeland Security Department and other federal, state and local agencies as well as the private sector. It is a secure Web portal with collaboration tools to enable real-time communication and managed access to data hosted at DHS data centers.

Release 3 of HSIN, which includes improved identity and access management and enhanced controls on information contributed by users, began rolling out to users in late 2012; the 10-year-old legacy platform has been discontinued.

First implemented in 2003, HSIN was intended to replace the informal personal networks for information sharing that predominated at that time. It has been used in the responses to events such as the Boston Marathon bombing in April, Superstorm Sandy in October 2012, and the Deep Water Horizon Oil Spill in 2010.

The limitations of ad hoc networks based on personal relationships had been tragically highlighted by the Sept. 11, 2001, terrorist attacks. “The question with HSIN was, how do you foster trust across the enterprise,” when face-to-face relationships were not possible, said Kshemendra Paul, the Information Sharing Environment program manager in the Office of the Director of National Intelligence. “That is a key part of what Release 3 is providing.”

Getting to Release 3 was not a simple task, however. “HSIN has been a little bit of a lightning rod,” Paul said.

Congress, the Government Accountability Office, and stakeholders all have criticized the early versions of the program. The inadequacy of security and information sharing in the original platform limited its use both by DHS and other members. These limitations were to be addressed in a new version, but HSIN Next Gen ran into management problems that led to its cancellation.

The GAO in 2008 said inadequate project management for the program presented a “risk of operating in an ad hoc and chaotic manner.” In July, GAO included HSIN Next Gen in a list of 15 failed federal IT projects.

What now is HSIN started as the Joint Regional Information Exchange System, a collaboration between the Defense Intelligence Agency and law enforcement agencies that was transferred to DHS in 2003. But because of conflicts between the needs of local law enforcement, intelligence analysts and counterterrorism agents, the system proved inadequate and in 2007 DHS had stopped updating it in favor of a complete replacement. The department continued to operate the legacy system while developing HSIN Next Gen. A $19 million task order (with four one-year options worth another $62 million) was awarded in 2008 and a four-phase transition to the new system was scheduled to being in May 2009. The original HSIN was to be shut down in September 2009 when HSIN Next Gen would be fully operational.

But by October 2008 GAO concluded that, “DHS has been challenged in its ability to efficiently and effectively manage the department’s existing primary information-sharing system. In particular, although DHS has invested upwards of $70 million on the system, it still does not fully meet user needs.” Development of the Next Gen system was plagued by a lack of project and acquisition planning, inadequate requirements development and poor risk management.

“Investing money given the current state of management controls puts the project at risk,” GAO concluded.

Then, in April 2009, one month before the transition to Next Gen was to begin, a hacker using federal credentials got into the system, accessing sensitive but unclassified information. This was followed by a second breach in May. In October 2010 DHS shut down Next Gen. GAO estimated that killing the project saved the department $129 million.

DHS reexamined HSIN user requirements and security needs, and in November 2010 got the go-ahead from the Office of Management and Budget for Release 3, which would feature better identity management and access control and would fit in with the department’s plans to consolidate its Web portals, reducing the number of sites providing the same types of services. Development began in September 2011 and in July 2012 it achieved initial operating capability.

DHS took to heart GAO recommendations for fully staffing a HSIN program office with clearly identified roles and accountability, pursuing a requirements-based development process with appropriate change controls, and ensuring risk management for the development and procurement cycle.

“It all starts with leadership,” said Brody, who gives Donna Roy, executive director of the DHS Information Sharing Environment Office, much of the credit for the success of the program. There was a strong senior management team and accountability to a timeline and to stakeholders, he said. The focus was on user needs, he said. “There is no room for ego.”

The legacy HSIN was decommissioned in August 2013 and 40,000 users and millions of documents have been moved to the new system. Release 3 is on track to achieve full operating capability by the end of the year, Brody said. All users receive in-person identity verification before being given an account, and access now requires two-factor authentication. Users logging onto an account must not only use a user-ID and password, but also a code sent out-of-band to a device such as a phone that they must also have in their possession.

The agencies that upload information to the system retain control over it. The information is tagged by the owners with metadata that is matched with access rights to determine who can access and use it.

This tagging for access management is enabled by Microsoft’s SharePoint collaboration software. The platform also uses Adobe Connect Web conferencing software and Cisco Jabber for instant messaging. Administrators have created 140 communities of interest to allow collaboration, sharing and chatting among the group.

Some work remains in fleshing out HSIN Release 3. Simplified sign-on is being planned to enable interoperability with other networks, including Law Enforcement Online (LEO), the FBI’s information sharing network; Regional Information Sharing Systems (RISS), a network of distributed law enforcement systems; and Intelink, the intelligence community’s network of intranets.

HSIN also is in the process of joining the National Identity Exchange Federation, using the Federal ICAM Backend Attribute Exchange, a standards-based architecture for exchanging credentials for verification from authoritative sources.

These enhancements are expected to more fully integrate HSIN Release 3 into the federal, state and local public safety communities.